Security Testing for Web Application

What is Security Testing?
Security testing is a process to determine that the information system protects data and maintains functionality as intended.
Security testing can also be defined as the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform.

Six concepts of Security Testing

• Confidentiality

Security measure that protects the disclosure of data or information to parties other than the intended.

• Integrity

Whether the intended receiver receives the information or data which is not altered in transmission.

• Authentication

Allows a receiver to have confidence that information it receives originated from a specific known source.

• Authorization

The process of determining that a requester is allowed to receive a service or perform an operation.

• Availability

Assuring information and communications services will be ready for use when expected.

• Non-repudiation

Interchange of authentication information with some form of provable time stamp e.g. with session id etc.

Some Security problems in Web Applications

• SQL injection

In this vulnerability, SQL queries can be injected in the form of user input data which can results in number of insecure behavior. For example, on a login page if the application is not protected against SQL injection, then anyone can use it to get all the user names and passwords stored in the database. This technique is mostly used in situations where SQL query is dynamically generated using the data or parameters supplied by user. This vulnerability can be extremely dangerous since SQL is often used for authentication, authorization, billing etc.

• Cross Site Scripting (XSS)

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.
Many web applications get some user information and pass this information in some variables from different pages.
E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz
Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

• Spoofing

The creation of hoax look-alike websites or emails is called spoofing.

Tools used for Security Testing

• Netsparker

This tool can detect SQL Injection + cross-site scripting issues.
Once a scan is complete, it displays the solutions besides the issues and enables the user to see the browser view and HTTP request/response.

• Websecurify

Websecurify is a very easy-to-use and open sourcetool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
It can create simple reports (that can be exported into multiple formats) once ran.
The tool is also multilingual and extensible with the add-on support.

• Wapiti

Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data.
It is built with Python and can detect:
- File handling errors (Local and remote include/require, fopen, readfile…)
- Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation)
- Command execution detection (eval(),system(), passtru())

• N-Stalker

The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.
It can check up to 100 web pages at once including web server and cross-site scripting checks.

• Scrawlr

Scrawlr is free software for scanning SQL injection vulnerabilities on the web applications.
It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

• Watcher

It is a plug-in for Fiddler and works as a passive-analysis tool for HTTP-based web applications.
Watcher runs silently in the background and interacts with the web-application to apply 30+ tests (where new ones can be added) while the user browses.
It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.

• X5s

X5sis again a plug-in for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability.
It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes how the output encodes the special characters.